Feeling Safe in the Home of the Future A product life-cycle approach to improve the trustworthiness of smart home products and services - BRIEFING ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Feeling Safe in the Home of the Future A product life-cycle approach to improve the trustworthiness of smart home products and services BRIEFING PAPER AUGUST 2020
Cover: R Classen Layouts/Getty Images
Inside: Hispanolistic/Getty Images, Marvin Samuel Tolentino Pineda/Getty Images,
Eye Crave/Getty Images, Onfokus/Getty Images, Glenn Carstens-Peters/Unsplash
Contents
3 Foreword
4 1 Introduction
7 2 Pre-Market
9 3 Sales and Setup
11 4 After-Market
13 5 Conclusion
14 Contributors
15 Endnotes
© 2020 World Economic Forum. All rights
reserved. No part of this publication may
be reproduced or transmitted in any form
or by any means, including photocopying
and recording, or by any information
storage and retrieval system.
Feeling Safe in the Home of the Future 2
August 2020 Feeling Safe in the Home of the Future
A product life-cycle approach to improve the trustworthiness of smart home products and services
Foreword
Smart home technologies are changing the
way we live. It is time to change the way we
design and manage these technologies.
Jeff Merritt
Burak Demirtas
Head of Internet of
Koç Holding Fellow,
Things, Robotics and
Centre for the Fourth
Smart Cities, Member of
Industrial Revolution,
Executive Committee,
World Economic Forum
World Economic Forum
For many children and young adults growing up first introduced in 2014 – the ease and speed in
around the world today, voice assistants such as which consumers have adopted these and other
Alexa, Siri or Google Assistant have become almost smart home technologies has been dramatic.
like another member of the family. They provide Meanwhile, many details about these technologies
advice on the weather when you cannot decide – from their business models to their product
what to wear, they answer your questions when you features and maintenance plans – remain ill-defined
are having trouble remembering a fact or are just or shrouded in mystery. It is time for the smart
feeling curious, they can tell you a joke or play your home ecosystem to grow up.
favourite songs if you are feeling down, and they
may even help turn off the lights for you when it is This paper is intended to spur collective thinking
time for bed. and action among business, government and civil
society. We invite you to join us as we work to
Whereas voice assistants and smart speakers are shape the development, use and impact of these
still relatively new – Amazon Alexa and Echo were technologies for the benefit of society.
Feeling Safe in the Home of the Future 3
1 Introduction
To realize the true promise of the smart
home, trust must be baked into each
phase of the product life cycle.
A home is more than a building or a place of shelter. in our daily lives, businesses and society. Most
It is where we take care of the people and things that notably, COVID-19 has dramatically increased
mean the most to us. Turning a physical structure the amount of time people are spending at home.
into a place of comfort, safety and sanctuary is hard According to data from Google’s COVID-19
work, but what if the home itself could help? Community Mobility Report, the global average
of time spent at home increased 35% in March
This is the promise of the smart home, a house 2020 as a wide range of shelter-at-home orders
equipped with internet-connected devices for were put in place.3 In this context, research
controlling, automating and optimizing functions from ABI Research suggests that smart home
such as temperature, lighting, security or devices, such as touchless doors, cameras and
entertainment, either remotely or through a system smart speakers, have an important role to play
within the house. Incorporating these Internet in enabling safe social distancing. The need for
of Things (IoT) devices into a home can help a contactless ordering and delivery of goods, for
homeowner increase the safety of their loved ones example, is expected to increase global sales of
and valuables, save money on energy bills, improve voice-controlled devices and cameras.4
their wellness and save time.
Smart home IoT devices can also take care of the
Technological advancements can also come with world outside of the home. By enabling a more
unintended impacts for society. The appliance efficient use of energy, devices such as smart
boom brought forward by the Second Industrial thermostats, smart lights and smart refrigerators
Revolution, for example, not only made it easier to hold the potential to decrease a home’s impact
do laundry, it ultimately opened the door for more on the environment. If half of homes globally
women to enter the workforce.1 The introduction transitioned to using smart thermostats by 2050,
and expansion of processed foods and microwave it is estimated that 2.6 gigatons of carbon dioxide
ovens made mealtime easier at home, but also emissions would be eliminated, roughly equal to
contributed to higher rates of obesity.2 As the smart 8% of global CO2 emission in 2019.5
home environment continues to evolve, the full
range of new opportunities – as well as potential The concept of a smart home is not a recent
challenges – continue to emerge. creation; it has featured in laboratories and popular
culture since the early 1900s. Yet, with recent
The COVID-19 pandemic is shining a spotlight advances in wireless technology and mobile
on the potential impact of smart home devices platforms, smart home devices have become
FIGURE 1 Smart home devices by segment
Smart appliances Security Home entertainment Comfort and lighting
Control and connectivity Energy management
Feeling Safe in the Home of the Future 4
affordable, viable and in demand. Smart home Data Corporation (IDC) Worldwide Quarterly Smart
devices typically fall into one of six verticals: Home Device Tracker, the smart home market is
energy management, comfort and lighting, home forecast to grow at a compound annual growth
entertainment, security, smart appliances, control rate of 17% from 2019-2023 with nearly 1.6 billion
and connectivity.6 According to the International devices shipped in 2023.
A crisis of trust
To harness these benefits for consumers and – 28% of respondents do not want to buy a smart
the planet and drive economic value, smart device due to cybersecurity concerns
home devices must have trust built in so that
consumers feel they are fair and safe to use. – 88% of respondents think that manufacturers
Incorporating trust across the life cycle of a should have to comply with legal privacy and
device is essential for a thriving smart home security standards
ecosystem. Whereas individual consumers may
place different value on the product features These findings clearly articulate the connection
that they feel are important when purchasing between consumer trust and the privacy and
devices, consumers come with preexisting security of IoT devices. Moreover, they show that
expectations regarding the privacy, security, consumers expect policy-makers to play an active
reliability, usability and resilience of their devices. role in creating a trustworthy environment by
Each one of these aspects effect consumers’ enacting regulations and guidelines for privacy and
perception on the trustworthiness on the product security. As such, this paper will mainly focus on
and the manufacturer. the privacy and security aspects of the smart home
ecosystem to improve trust.
There are a number of important questions on
consumers’ minds as they consider purchasing Contrary to common public perception, smart home
smart home devices: device manufacturers have been heavily investing
in new innovations to build more trustworthy
– Could someone hack into my security camera devices. This includes technical solutions like
without my knowledge? encrypting communication between devices and
storing personal data in secured cloud platforms.
– Do companies sell my information to other Many of consumer concerns stem from the fact
companies for extra revenue? that neither these technical implementations nor
the data sharing protocols between companies are
– Is my voice assistance listening to my transparent or easy to understand.
conversations? Can I delete my data?
Additionally, sources such as the Internet Society’s
– Could law enforcement get access to my data? report The economics of the security of consumer-
grade IoT products and services,8 identify
Recent research conducted by Consumers misaligned incentives on cost of security risks and
International and the Internet Society found:7 missing responsibility on attacks to external entities
by these IoT devices as critical factors for lack
– 75% of respondents distrust the way data of trust. Taken together, the transparency issues
is shared related to technical complexities and the economic
considerations related to cost of risks demonstrate
– 50% of respondents do not know how to an obvious gap between stakeholders’ perceptions
disable a data collection feature of trustworthiness in smart home devices.
A path forward
Effectively building consumer trust will protections that reflect common duty of care and
require collective action by all stakeholders in establishing the respective responsibilities of the
the smart home ecosystem. This includes, but business community and consumers or end users
is not limited to, device manufacturers, standard of technology.
development organizations, retailers, government
and civil society organizations. Among these While regulations and standards are critical
stakeholders, policy-makers have an important in creating a trustworthy smart home environment,
role to play in establishing a level of consumer crafting them is no easy feat. Things like software
Feeling Safe in the Home of the Future 5
updates, data collection and internet connectivity called the pre-market phase and it encompasses
require frameworks to consider not only activities handled prior to launch: design, business
design phase implementations and processes, development and manufacturing. The second
but also after sales implementations and phase is called sales and setup, and it includes
processes too.9 To develop proper policies that activities related to product marketing, educating
take these features into account, it is important consumers about product capabilities and
to consider all the processes related to product providing consent mechanisms during product
life cycle; from design to business model, to setup. The final phase, called after-market,
manufacturing, marketing and even aftersales of focuses on software feature updates and user
a smart home device. rights on data-related processes. Although there
are some common themes in all these phases,
These elements of the product life cycle can be each offers unique opportunities for building
grouped into three phases. The first phase is consumer trust.
FIGURE 2 Product life-cycle phases and trust-related topics
Pre-market Sales and setup After-market
– Business models and – Transparency of IoT – Software update and dynamic
privacy aspects products capabilities product management
– Security by design – Consent mechanisms – User rights on data
management
The sections that follow are structured to map the section on the after-market phase is dedicated
against the three phases of the smart home product to software updates and user rights on data
life cycle. Section one on the pre-market phase management of devices. Through each of these
focuses on the impact of business models on sections, this paper intends to help policy-makers
privacy and security by design principles. Section and other key stakeholders understand, consider
two addresses the sales and setup phase and and incorporate the phases of the smart home
elaborates on topics related to product feature product life cycle as they define collective actions
transparency and consent mechanisms. Finally, and guidelines for privacy and security.
Feeling Safe in the Home of the Future 6
2 Pre-Market
Trustworthy products begin with good
product design.
A smart home product or service is more than Oftentimes, there is an additional component
a physical device. In fact, there are three core layered on top to allow for data sharing or device
components that are generally required for a smart interoperability. It is not uncommon for each of
home product to achieve “smart” functionality: these components within a single smart home
product to be developed or managed by a different
– A human-computer interface party. This layered structure and complex business
model creates an untamed information jungle
– A data platform over cloud infrastructures with regard to technology stacks, business models
and privacy, which creates distrust on the part of
– An internet-enabled device the consumer.
Business models and their effect on privacy
One of the ways in which smart home products protect user data properly. Unfortunately,
have enabled companies to improve their there are plenty of examples of irresponsible
revenues is by selling software services with smart stewardship of personal data collected by smart
home products. Arlo, a smart camera product home devices. Recently, the Electronic Frontier
manufacturer, for example, released home security Foundation (EFF) conducted a test with Ring
solutions by selling cameras as products and cloud- doorbell devices and discovered that the devices
recording capabilities with a monthly subscription.10 were sharing data with third-party companies,
Moreover, smart home products enable new such as Facebook APIs.13 Since data-sharing
business models such as advertising, subscriptions, features are embedded into the software of the
pay-per-use and maintenance contracts by device, a user is not provided with the chance to
leveraging connectivity and continuous data learn what information is shared.
streams. For example, streaming service boxes like
Roku and Amazon Fire TV work as platforms for In recent years, regulators have spent a great
television channels, but they also create contracts amount of time deploying new privacy regulations
based on user subscription and advertisement such as the General Data Protection Regulation
revenue. In fact, the majority of revenue for these (GDPR) and California Consumer Privacy Act
streaming box companies does not come from (CCPA). However, it is still difficult for consumers
selling streaming devices, but rather through ads to check if their devices, or the manufacturers
and subscriptions.11 of their devices, are compliant with these
regulations. Transparency is essential to overcome
Unbeknownst to consumers, these companies this challenge, and there are models for how
may also be generating revenue based on transparency helped consumers in other areas
consumer data. According to research conducted like OSHWA’s Open Source Hardware Certificate,
by Princeton University and the University of Creative Commons’ content licensing, the FCC’s
Chicago, 89% of Amazon Fire TV channels and Broadband Nutrition Labels, Carnegie Mellon
69% of Roku channels include tracking software University’s Privacy Nutrition Labels, the iFixit
that collects information about viewing habits and Reparability Score, CE certification, the German
preferences of the users.12 Blue Angel environmental label, Fairtrade, energy
star for home appliances and laundry labels.14
While the research on streaming devices show
the hidden data collection mechanisms, Consumers As listed above, there are many efforts either
International’s research reveals that 65% of within the field or in different domains to enable
consumers are concerned about data collection transparency. It is crucial to merge the knowledge
and data sharing through their smart home devices. in these efforts with the needs of privacy in IoT and
consumer education in technology. So, consumers
Clearly, one important factor in building trust is become more informed within time to evaluate the
ensuring that device manufacturers store and products and services.
Feeling Safe in the Home of the Future 7
Security by design
With every new connected device, the Finally, security by design should encompass the
cybersecurity risk increases exponentially. manufacturing processes of smart home products. In
Especially botnets, such as Kaiten, Qbot and today’s connected world, this means that the supply
Mirai, use IoT devices as the host for an attack to chain should be considered as critical as in-house
critical internet infrastructure.15 Consider the Mirai design. For example, many of the smart home device
botnet attack that caused many internet services manufacturers use microcontrollers that are designed
to collapse in 2016. This attack originated in and manufactured by third parties. Since consumers
and spread through internet routers and security do not have insight into these relationships, it is the
cameras that were using default passwords. This device manufacturer’s responsibility to check all
shows that designing the functionality of password supply chain steps properly.
management is necessary, but not enough for
achieving security. It is not feasible to expect a user to understand
and manage all of these risks properly. On the
Another important feature that increases one hand, a regulatory framework is needed to
security and empowers consumers is two-factor standardize device security schemes for smart home
authentication (2FA).16 By implementing 2FA, devices. On the other hand, due to differences
companies enforce consumers to be a participant in IoT products’ capabilities, a one-size-fits-all
in the authentication process. As a result, this approach may not work while developing policies.
reduces the risk of hacking of the devices. Admin
password change and 2FA are just two of the While new regulations such as the EU
several concepts that manufacturers can embed cybersecurity Act, California Bill SB-327 and
to the smart home products to improve security by Oregon House Bill 2395 are being released, there
enabling consumer contribution. are also many industrial initiatives attempting to
standardize products. The Common Criteria (ISO
Another critical factor to consider when it comes 15408) framework,18 Underwriters Laboratories’
to designing for security is the relationship to other IoT Rating scheme19 and Mozilla Foundation’s
devices. If there are several connected devices Privacy Not Included Guide,20 IoTSF Compliance
within the same network, the device with the Framework21 and Online Trust Alliance’s The OTA
weakest security precautions may cause other IoT Trust Framework22 are some of the efforts that
devices to be hacked. In 2017, hackers took over organizations are actively working on. But, none
a casino’s customer database through a fish tank’s of them currently forces manufacturers to comply
temperature adjustment system within the casino.17 with them. As a result, products that do not have
While it is not expected for a temperature sensor to proper security precautions can compromise an
have as high-level security as a camera, it should entire smart home environment. Comprehensive
support a meaningful level of security by its design standardization of security will improve the reliability
to reduce the risk to other devices. of the overall smart home ecosystem.
FIGURE 3 Underwriters Laboratories’ IoT Rating scheme
Bronze Silver Gold Platinum Diamond
Essential Enhanced Advanced Extensive Comprehensive
No default passwords Access control Stored and transmitted Known threat testing Malicious software
Users do not have to rely on Access to features which data security The device and its software modification detection
default passwords programmed hold sensitive information i.e. When data is stored or have been tested for publicly The device is able to detect if
into a product. Users are instead security settings and personal transmitted to the device, the known threats. foreign code is being inserted
urged to choose passwords information are protected data is secured by using industry into its system and prevent that
which are difficult to guess/crack. by additional authentication supported encryption. Malware protection code from altering the device.
mechanisms. The device does not
Secure update mechanism Secure out-of-the-box automatically accept Illegitimate accesss
Regardless of the method of Industry privacy best practice settings and respond to attempt protection
software update – on-demand The type of data that is collected The device is secure and ready untrusted code. The device protects against
or automatic – the updated files processed and stored by for use without unnecessary repeated fail log-in attempts.
are validated and confirmed to the device is made known to the intervention by the user. Permanent log-in prevention
be secure and necessary user, and the user is given A user is not able to remain User data annonymization
protected by additional the opportunity to consent Mobile App security logged in for an indefinite Data which is processed,
authentication mechanisms. to such collection, processing maintenance amount of time. The system collected and stored is kept in
or storage. If a device connects to will intermittently re-authenticate a format which will not lead to
Secure reset an app, the app itself is the user. identification of the user.
The factory reset button or Product security maintenance monitored and maintained
function securely removes all The device is monitored and for security concerns.
sensitive data. maintained for security concerns
after sale of the device.
Secure connections
Any communication connections
being utilized by the device
are validated and confirmed
to be secure.
Feeling Safe in the Home of the Future 83 Sales and Setup
Transparency is a critical first step to enable
more informed and empowered consumers.
Smart home products have become so ubiquitous consumers look for information available about the
that consumers can do many daily tasks such as product’s privacy and security either on a website
turning on and off devices and monitoring home or in literature included with the product during their
security with the help of these devices easily. Voice purchasing decision process. Moreover, only 50%
assistants, smart thermostats, security cameras of consumers know how to disable data collection
and others make daily life and home management features on these devices. This knowledge gap
easier and more efficient, but consumers have little for privacy and security requires policy-makers to
knowledge about how the manufacturers of these address transparency issues at two key moments
devices collect and share personal data. Research in time: in the creation of marketing materials and
from Consumers International shows that 77% of at the initial at-home setup of products.
Transparency of IoT product features
Providing real-time situational awareness that technical differences that are not immediately clear
enables adaptability and efficiency is one of many to consumers. Even with technical explanations in
important features of smart home devices. This online retail pages or product packages, it is hard to
situational awareness is powered by the continuous understand the implications of these specifications.
collection of data from the surrounding environment. To reduce this knowledge gap, critical features of
While the purpose for providing situational the devices – such as purpose, wireless technology
awareness is the same for every device, the technical and data storage location – must be more accessible
capabilities and execution may be different. Consider for consumers.
smart doorbell products; at their core, they are
intended to let a homeowner know the person at the Several groups are working on labeling
door by sharing the scene that it records. However, frameworks to tackle this problem for the smart
there are a variety of products on the market that home,23 medical wearables24 and public spaces,25
offer different video-sharing features. For example, but a formal policy has not been developed yet.
Eufy offers cameras with local storage, while Ring Consequently, consumers try to learn not only the
sells products with cloud storage service. Even features of the product, but also how it operates
though both doorbells let users see who is at the too. If there can be a guideline created like Figure 4
door, their data collection and sharing technology below, then people will be able to match their need
are different. Many smart home devices have these with the products more efficiently.
Feeling Safe in the Home of the Future 9FIGURE 4 An example IoT device label developed at Carnegie Mellon University
Consent mechanisms at initial setup
After purchasing a smart home product, a text.26 The 25% that try to read the text only spend
consumer must sign up to an IoT platform, usually on average one minute checking the text, which
through a smartphone application, in order to use has several thousand words.
the product. Oftentimes, this sign up requires a
consumer to share personal information such as By updating the terms of service process and the
an email or telephone number and accept a terms text within these documents, the IoT ecosystem
of service document. Terms of service documents can increase the awareness of consumers, create
are the main contract between a consumer and a consumer agency and improve trust. For example,
manufacturer. They are also considered to reflect a one initiative called “Terms of Service; Didn’t
consumer’s consent to the services that the smart Read” examines the text of ToS and grades them
home product offers. according to their attitude about data collection,
sharing and managing user privacy.27 Besides the
Typically, terms of service documents are long declaration, the initiative also shares the insights
and laden with legalese. This tends to lead openly online. While it is tricky to balance user
consumers to skip over the terms and accept consent and legal responsibilities of manufacturers,
them blindly. Research from York University and it is important for policy-makers to consider
Michigan State University shows that 75% of users a clearer terms of service process to improve
“ACCEPTS” terms of service without reading the consumers’ trust.
Feeling Safe in the Home of the Future 104 After-Market
Software updates can enable new and
improved services; they can also erode
trust if not properly managed.
Because smart home products are internet As Tesla created new business value out of software
connected, they require software updates and data updates, smart home product manufacturers also
collection features that conventional products do could begin offering new services that consumers
not need. Autonomous vehicles provide analogous pay extra money too. While the potential for
insights into the way connected products can innovation is massive, update and data management
incorporate software and hardware updates to infrastructures require regulation and standardization
maintain and enhance the value of a connected in order to maintain the trustworthiness of these
product. This is perhaps best evidenced in the products. Because manufacturers sell their products
way Tesla releases software updates to improve not only with features existing today, but the
the autopilot capabilities of its cars. Within these promises they give for the features that are going to
software updates, Tesla includes features like active be available in the future with the help of software
safety and advanced driver assistance. Through update and data management infrastructure.
these features and the associated data collection Regulation and standardization mechanisms
mechanisms, insurance companies are able to will ensure these platforms to operate with high
offer new insurance services based on safe availability and securely to deliver their promises to
driving patterns.28 all their customers.
Software updates and dynamic
product management
One of the most exciting capabilities of smart smart TVs.31 Since cyberthreats are evolving day
home products is the way they enable new by day, IoT device manufacturers should have
feature introduction through software updates. For infrastructure and processes in place to protect
example, a young couple might purchase a washing and update devices against cyberattacks.
machine, and then have the ability to upgrade it
and include a “baby clothing” programme upon While the introduction of software updates enables
having their first child.29 But, if the feature update new and improved services, it also has the
and maintenance processes are not designed potential to decrease consumer awareness, bypass
properly, customers will become upset and meaningful consent and ultimately erode trust.
companies will lose credibility. Consider Sonos’s Currently, there is no regulation holding smart home
recent announcement that it would stop releasing manufacturers accountable to a standard. This
software updates for some of its products.30 This has implications for operational continuity, raising
created a customer backlash and degraded the questions. How will the warranty of this IoT product
value of Sonos products as people feared that their be affected if the user does not download the
product might soon become obsolete. Eventually, software update? How can the user be sure that
the company’s CEO was forced to walk back his this device is updated for newly detected viruses?
decision and pledge to continue to provide software It is important for policy-makers to fill this gap by
updates for security purposes. enacting proper guidelines to enforce industry
for applying or developing proper standards for
This example highlights another value driver of software update infrastructure.
software update for connected products: device
cybersecurity. In 2016, the Mirai botnet attacked The information technology industry has been
such connected devices as IP cameras and home working on these issues for some time and has
routers, allowing it to enter and crash internet developed and implemented a group of standards
services around the world. A recent threat analysis like ISO 2700132 (Information Security Management
conducted by Palo Alto Networks’ Unit 42 revealed System) and 2230133 (Business Continuity
that a new version of the Mirai botnet is targeting Management). According to these standards,
Feeling Safe in the Home of the Future 11companies must meet several requirements for continuous operation and cyberthreat
related to continuous operation of their IT systems management, policy-makers in the smart home
throughout their operational period. By modelling domain can begin to build toward a more
this approach and defining standards trustworthy smart home environment.
User rights on data management
Like the Tesla insurance example, companies dynamically by voice commands whenever they
are spinning up new business models based want.34 Although this implementation is a helpful
on device usage data. This is usually driven by improvement within the domain, there are many
data processing within the company or by sharing devices that do not allow users to delete their data
data with third parties. In both cases, consumers immediately even if requested.
can only participate in the process during the
consent approval stage. As discussed, consent Regulations such as the EU’s General Data
mechanisms enable a legal framework for Protection Regulation (GDPR) and the California
businesses to operate, but they do not engender Consumer Privacy Act (CCPA) mandate
consumer trust. It is critical to enable some manufacturers to delete all data related to
level of consumer agency over usage of data to consumers whenever they request, but it is
enhance trust. For example, voice assistants have not easy for consumers to find an interface to
been listening to us for some time and it was not request deletion. To empower consumers to
an easy task for a regular consumer to delete manage their data, there should be standards
personal data from the platforms. In 2019, Amazon or regulations to check the effectiveness of the
released a new software for Echo devices, and consumer data rights portals of consumer IoT
enabled consumers to delete their voice recordings device manufacturers.
Feeling Safe in the Home of the Future 125 Conclusion
Regulations and governance models do not
need to be reinvented; the building blocks for
a more trustworthy smart home exist today.
Trust is essential to realize the full potential of smart have rights to manage their personal data. Thus,
home technologies. Despite efforts by product device manufacturers should be able to answer
manufacturers to build more trustworthy and secure users’ requests like deletion or correction of data
platforms, consumer concerns persist with three- immediately via a simple and easy to use interface.
quarters of consumers expressing distrust over how All these measures seem very complex, but they are
their data is being shared and 28% of consumers all important building blocks for a trustworthy smart
saying they will not purchase smart devices due home environment.
to security risks. To overcome these concerns,
increased transparency and consumer awareness Regulations and governance related to each
– particularly with regards to complex business phase do not need to be reinvented or managed
models and technical solutions – is essential. New in separate frameworks. Rather, there are
regulations, standards and governance models will important efforts that has been in progress for
need to build in trust at every stage of the product some time like the European Telecommunications
life cycle including during the design and pre-market Standards Institute’s ETSI 303 645,35 Code of
phase, during sales and setup, and after-market. Practice for Consumer IoT Security36 in the United
Kingdom and National Institute of Standards
In pre-market phases, privacy by design and security and Technology’s NISTIR 825937 in the United
by design principles should be controlled by either States. Second, different industries like payment
certification schemes or labeling mechanisms. or IT systems have deployed policies according
Moreover, the effect of business models on privacy to their needs too. Finally, there are also relevant
needs to be considered in detail. Second, product academic studies like Carnegie Mellon University’s
marketing materials and product packages should labeling effort and Dartmouth College’s project on
contain information about the device’s capabilities security and privacy of IoT products.38 All these
in a simpler way so that consumers can understand efforts can be utilized as a baseline for a more
better. Since users need to accept a terms of service robust and reliable smart home ecosystem for
agreement before using smart home devices, consumers to stay at home safely.
consumers should be well-informed about what
they are accepting during this process. Finally, Now is the time for business, government and civil
maintenance of smart home products requires some society to come together, to align their efforts and
extra effort to keep the device up to date and keep ensure that everyone can feel safe in the home of
secure against cyberattacks. In addition, consumers the future.
Feeling Safe in the Home of the Future 13Contributors
Lead author
Burak Demirtas
Koç Holding Fellow, Centre for the Fourth Industrial
Revolution, World Economic Forum
Acknowledgments
This white paper benefitted from the input of experts and diverse stakeholders, including, but not limited to,
the following.
Rashid Alahmedi Katerina Megas
Chief Operating Officer, Dubai Electricity and Water Commercial Adoption Lead, Trusted Identities
Authority, United Arab Emirates Group and Program Manager, Cybersecurity for
Internet of Things (IoT) Program, National Institute
Kimmy Bettinger of Standards and Technology (NIST), USA
Specialist, Internet of Things, Robotics and Smart
Cities, World Economic Forum Jeff Merritt
Head of Internet of Things, Robotics and Smart
Tim Danks Cities, World Economic Forum
Vice-President, Risk Management & Partner
Relations, Huawei Technologies, USA Robert Morcos
Founder and Chief Executive Officer, Social
William Dixon Mobile, USA
Head of Future Networks and Technology, Centre
for Cybersecurity, World Economic Forum Hitomi Sano
Associate Director, Corporate Strategy, Eisai, Japan
David Kotz
Pat and John Rosenwald Professor, Department Geoff Wylde
of Computer Science, Dartmouth College, USA Lead, Internet of Things, Robotics and Smart Cities,
World Economic Forum
Helena Leurent
Director-General, Consumers International,
United Kingdom
Feeling Safe in the Home of the Future 14Endnotes
1 Michele W. Berger, “How the appliance boom moved more women into the workforce”, PennToday, 30 January 2019,
https://penntoday.upenn.edu/news/how-appliance-boom-moved-more-women-workforce.
2 Ultra-Processed Diets Cause Excess Calorie Intake and Weight Gain: An Inpatient Randomized Controlled Trial of Ad
Libitum Food Intake. Hall KD, Ayuketah A, Brychta R, Cai H, Cassimatis T, Chen KY, Chung ST, Costa E, Courville A,
Darcey V, Fletcher LA, Forde CG, Gharib AM, Guo J, Howard R, Joseph PV, McGehee S, Ouwerkerk R, Raisinger K,
Rozga I, Stagliano M, Walter M, Walter PJ, Yang S, Zhou M. Cell Metabolism. 2019 May 10. pii: S1550-4131(19)30248-7.
doi: 10.1016/j.cmet.2019.05.008. PMID: 31105044. https://www.ncbi.nlm.nih.gov/pubmed/31105044.
3 Mohammed Haddad, “Coronavirus: How much more time are people spending at home?”, Aljazeera, 12 April 2020,
https://www.aljazeera.com/news/2020/04/coronavirus-world-staying-home-200406122943899.html.
4 Philip Prado, “Smart home tech sales could jump 30% as consumers combat the coronavirus”, androidauthority.com,
1 April 2020, https://www.androidauthority.com/coronavirus-smart-home-1101558.
5 Paul Hawken, “Drawdown: The Most Comprehensive Plan Ever Proposed to Reverse Global Warming, 2017,
https://www.amazon.com/dp/B01KGZVNT0/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1.
6 Christoph Blumtritt, “Statista Digital Market Outlook, Smart Home Report 2019”, Statista.com, 1 September 2019,
https://www.statista.com/study/42112/smart-home-report.
7 Consumers International, Internet Society, “The Trust Opportunity : Exploring Consumers’ Attitudes To the Internet
of Things”, 1 May 2019, Consumers International & Internet Society, https://www.consumersinternational.org/
media/261950/thetrustopportunity-jointresearch.pdf.
8 Mark McFadden, Sam Wood, Robindhra Mangtani, Grant Forsyth, “The Economics of the security of consumer-grade
IoT products and services”, 1 April 2019, Internet Society, https://www.internetsociety.org/wp-content/uploads/2019/04/
The_Economics_of_Consumer_IoT_Security.pdf.
9 Kevin Guerin, “A life cycle approach to IoT security”, https://www.riskinsight-wavestone.com/en/2019/09/life-cycle-iot-
security/, 17 September 2019.
10 Vigderman, Aliza, “Arlo Camera System”, security.org, 6 July 2020, https://www.security.org/security-cameras/arlo.
11 Binder, Matt, “Netflix is paying to advertise on your Roku remote and you don’t even know it”, Mashable, 12 December
2019, https://mashable.com/article/roku-button-home-screen-advertising.
12 Hooman Mohajeri Moghaddam, Gunes Acar, Ben Burgess, Arunesh Mathur, Danny Yuxing Huang, Nick Feamster,
Edward W. Felten, Prateek Mittal, Arvind Narayanan, November 2019, Princeton.edu, https://www.princeton.
edu/~pmittal/publications/tv-tracking-ccs19.pdf.
13 Bill Budington, “Ring Doorbell App Packed With Third-Party Trackers”, 27 January 2020, Electronic Frontier Foundation,
https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers.
14 Peter Bihr, “A trustmark for IoT”, Thingscon, 13 September 2017, https://thingscon.org/publications/report-a-trustmark-
for-iot.
15 Trend Micro, “Caught in the Crossfire: Defending Devices From Battling Botnets”, 15 July 2020, https://www.trendmicro.
com/vinfo/ph/security/news/internet-of-things/caught-in-the-crossfire-defending-devices-from-battling-botnets.
16 Fruhlinger, Josh, “2fa explained: How to enable it and how it works”, 10 September 2019, CSOOnline, https://www.
csoonline.com/article/3239144/2fa-explained-how-to-enable-it-and-how-it-works.html.
17 Alex Schiffer, “How a fish tank helped hack a casino”, 21 July 2017, Washington Post, https://www.washingtonpost.com/
news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino.
18 Common Criteria Organisation, https://www.commoncriteriaportal.org.
19 Underwriters Laboratories, https://ims.ul.com/IoT-security-rating.
20 Mozilla Foundation, https://foundation.mozilla.org/en/privacynotincluded/about.
21 IoT Security Foundation, https://www.iotsecurityfoundation.org/iotsf-issues-update-to-popular-iot-security-compliance-
framework.
22 Internet Society, https://www.internetsociety.org/resources/doc/2018/iot-trust-by-design, 22 May 2018.
23 Lily Hay Newman, “IoT Security Is a Mass. Privacy ‘Nutrition’ Labels Could Help”, 9 June 2020, Wired, https://www.
wired.com/story/iot-security-privacy-labels.
24 Andrea Coravos, Megan Doerr, Jennifer Goldsack, Chirstine Manta, Mark Shervey, Beau Woods, William A Wood,
2 April 2020, Nature.com, https://www.nature.com/articles/s41746-020-0237-3#Fig2.
25 Sidewalk Labs, 19 April 2019, Sidewalks Labs GitHub Repository, https://github.com/sidewalklabs/dtpr/blob/master/
dtpr_designguide/DTPR_Design_Guide.pdf.
26 Jonathan A. Obar, Anne Oeldorf-Hirsch, “The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of
Service Policies of Social Networking Services”, 18 August 2018, https://papers.ssrn.com/sol3/papers.cfm?abstract_
id=2757465.
27 Terms and Service Didn’t Read, https://tosdr.org/index.html.
Feeling Safe in the Home of the Future 1528 Tesla, https://www.tesla.com/support/insurance.
29 LG, https://www.youtube.com/watch?v=AYVWqfJaR3o.
30 SONOS, https://blog.sonos.com/en/end-of-software-updates-for-legacy-products.
31 Ruchna Nigam, 18 March 2019, “New Mirai Variant Targets Enterprise Wireless Presentation & Display Systems”,
Palo Alto Networks, https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-
presentation-display-systems.
32 International Organization for Standardization, https://www.iso.org/isoiec-27001-information-security.html.
33 International Organization for Standardization, https://www.iso.org/standard/50038.html.
34 Jason Cipriani, 29 May 2019, “Amazon Echo stores your voice commands. Here’s how Alexa can delete them”,
C|net, https://www.cnet.com/how-to/amazon-echo-stores-your-voice-commands-heres-how-alexa-can-delete-
them.
35 European Telecommunications Standardization Institute, https://www.etsi.org/deliver/etsi_en/303600_303699/30
3645/02.00.00_20/en_303645v020000a.pdf.
36 Department for Digital, Culture, Media & Sport, “Code of Practice for Consumer IoT Security”, October 2018,
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/
Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf.
37 Michael Fagan, Katerina N. Megas, Karen Scarfone, Mathew Smith, “Foundational Cybersecurity activities for
IoT device manufacturers”, National Institute of Standards and Technology, 1 May 2020 https://nvlpubs.nist.gov/
nistpubs/ir/2020/NIST.IR.8259.pdf.
38 Security and Privacy in the Lifecycle of IoT for Consumer Environments (SPLICE), https://splice-project.org.
Feeling Safe in the Home of the Future 16The World Economic Forum, committed to improving the state of the world, is the International Organization for Public-Private Cooperation. The Forum engages the foremost political, business and other leaders of society to shape global, regional and industry agendas. World Economic Forum 91–93 route de la Capite CH-1223 Cologny/Geneva Switzerland Tel.: +41 (0) 22 869 1212 Fax: +41 (0) 22 786 2744 contact@weforum.org www.weforum.org
You can also read
